IT experts tell GPSJ: ‘Government not doing enough to protect public sector against cyberattacks’

76% of UK CEOs are concerned about cyber threats

Reporter: Stuart Littleford

In May the NHS suffered a large scale ransomware attack and although the attack was not specifically targeted at the NHS a lack of IT security awareness and variations in software on IT systems in the organisation meant the affects were devastating.

By the afternoon of the attack around 16 NHS Trusts and an unknown number of GP practices had been affected by the ransomware. Staff attempting to log into their computers were greeted by a large, red screen saying their files had been encrypted and they would need to pay a ransom in the electronic money Bitcoin to get them back.

The NHS was not being specifically targeted but it was being affected by the release of a virus called WannaCry or WannaDecryptor (or variations of these names) that had already impacted a telecommunications company and some Spanish banks.

The Government & Public Sector Journal was contacted by Dr Saif Abed of AbedGraham, one of Europe’s largest healthcare IT strategy consultants. Dr Said trained in medicine but has specialised in IT strategy and security, founding the AbedGraham health IT and risk consultancy. And as such, he was not surprised that the NHS was caught up in something bigger.

Speaking to GPSJ he said: “Ransomware tends to be widespread and opportunistic,” he says. “If you really wanted to launch a sustained attack against a particular organisation, then you would use something more specialist and directly malicious than this.”

Even so, the NHS was hit hard. Some trusts, and boards in Scotland had to close their A&E departments or urge patients to attend only if they had life threatening conditions, as delays built up. There were numerous reports of appointments being cancelled and transfers and discharges delayed.

One surgery GPSJ spoke to in Oldham, Lancashire said they had “resorted to using a pen and paper” as all their IT systems were down, and they were just about managing to cope – although it was a disaster for the surgery.

The digital maturity assessment of trusts survey that NHS England conducted last year showed that a majority of trusts are still running computers running Windows XP. This is a Microsoft operating system that has not been supported since 2014 (or, for the UK public sector, 2015) and is no longer ‘patched’ against the sort of known vulnerability that WannaCry exploited.

Dr Abed says that a “full investigation” is needed to find out exactly what role each of these played.

“We need a forensic investigation into this, in part to avoid inappropriately blaming specific bits of software, or people.

“I have seen a lot of tweets apportioning blame: “It’s all the fault of the IT department” or “how could people be so irresponsible as to click on a link”, but it’s not that straightforward.

“We have to ask why this software is still out there, why it is unpatched, why there hasn’t been the investment in clinical leadership to make people aware of the dangers, why there weren’t the people and processes in place to respond when it happened.

“Also, if we see this as only a technology issue, we run the risk of not seeing the situation for what it really is; a clinical risk and patient safety issue.

“We need to invest consistently in infrastructure and people and processes,” he says. “That is why we need a forensic inquiry, and one that leads to immediate action, not one that takes two years and then issues a report.

“If we can pinpoint the problems, we can build a co-ordinated relationship between suppliers, the government and NHS organisations that addresses the problems in a way that meets clinical need.

“The NHS needs to hold an enquiry into WannaCry and then get to grips with the fundamental problems that it exposed. The part of me that is a clinician is hoping that this will not be siloed as a technology issue.

“This needs to be seen as a national challenge and as a board-level priority, because it is a clinical safety and a patient care issue. It just so happened that this particular point of failure was based on technology.”

With cyberattacks on Public sector organisations increasing GPSJ spoke an IT expert to find out if the UK government is doing enough to protect against such threats.

GPSJ spoke with Markus Jakobsson, chief scientist at Agari and an expert in email security, and asked him about emerging email threats and his thoughts on the government’s preparedness for future attacks.

GPSJ: “What threat was presented with the recent attacks on MP’s email systems?”

MJ: “The attacks on MP’s emails was a brute force attack and this isn’t as serious as some attacks, more threatening are the targeted phishing attacks for passwords as these are more surgically targeted against ‘individuals of interest’ by hackers allowing for potentially more private information about them.

“The attackers want sensitive data about systems and people to mount a second strike once compromised with politicians this could involve damaging private information that could affect them getting elected in future – we have seen this in the States.”

GPSJ: “How serious is the treat to UK critical infrastructure?”

MJ: “I live in fear of attacks on utilities and internet systems, without these we are in trouble, if the power supplies are targeted what is going to keep the computers and internet running that keep the critical national infrastructure working? Back up supplies can only last so long and these are desirable targets to infiltrate, we won’t know how badly infiltrated some the UK systems are until such time as a conflict – we have seen this in Ukraine.”

GPSJ: “Do you think the UK government is doing enough to protect against future attacks?”

MJ: “I am sad to say the UK government isn’t taking these threats as seriously as they should, they haven’t caught up yet to the seriousness of the threat and this is the same for other governments.

“You should not make it the task of individuals in an organisation to protect against threats, organisations should use outside specialist IT companies to protect their systems rather than relying on their own systems.

“It is also important to update software regularly and if your software only runs on older operating systems they can’t be updated, we have seen in the NHS with many operating systems being used across the UK – this can be disastrous and should be avoided at all costs.”

Pete Banham, a cyber resiliency expert at Mimecast, told GPSJ about the attack on Barts Health NHS Trust: “The ransomware attack on Barts reads like a textbook example. Without proper technical controls it only takes one person to open a malicious email attachment and the attacker is in. For healthcare organisations, the stakes are especially high. If attackers can gain or deny access to sensitive and very personal files, patient safety is on the line.

“Cybercriminals are incredibly sophisticated at using email for attack and bypassing traditional security procedures.

“Bowing to these hacker’s ransom demands only emboldens and finances them for further attacks. Only by adopting a cyber resilient approach can organisations recover quickly from this type of attack.”